A broken access control leads to users that can possibly act outside their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
Notable Common Weakness Enumerations (CWEs):
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-201: Exposure of Sensitive Information Through Sent Data
- CWE-352: Cross-Site Request Forgery
Examples of CVEs :
Login as admin- Log in with the administrator's user accountAdmin Section- Access the administration section of the juice storeView Basket- View another user's shopping basket
- Enforce least privileges
- Deny by default
- Validate permissions on every request
- Thoroughly review the authorization logic of chosen tools and technologies, implementing custom logic if necessary
- Prefer feature and attribute based access control over RBAC
- Ensure lookup IDs are not accessible even when guessed or cannot be tampered with
- Enforce authorization checks on static resources
- Verify that authorization checks are performed in the right location
- Exit safely when authorization checks fail
- Implement appropriate logging
- Create unit and integration test cases for authorization logic
More info in OWASP's Authorization cheat sheet